Apple's Security Update Message Fails PGP Authentication
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 yes, I did sign their key, Apple generated a new key and didn't sign it with the old one or have anyone continue it's trust path.. It would be a good thing if someone else signed it and sent notice to Product Security <product-security@apple.com>, you can contact them there and ask them to verify the fingerprint or use their website.. either way, isn't it funny that they use a PGP key to verify their security updates and yet with all the CDSA code they have on X, none of it supports the PGP key infrastucture. actually I am not sure what the Security framework is used for, I suspect encrypting passwords on keychain and now System update.. but not ssh/scp or mail.app. too bad. -----BEGIN PGP SIGNATURE----- Version: PGP 7.5 iQA/AwUBPU1S89ixAAkLPvBCEQKibgCg9DmZJt4cNsQtgXLHEtvnJT2ZW3YAoNFO sFVWo7a5peL7W8//5HSXRVAG =86oB -----END PGP SIGNATURE----- At 10:05 AM -0400 8/3/02, R. A. Hettinga wrote:
--- begin forwarded text
Status: RO Delivered-To: mac_crypto@vmeng.com To: mac_crypto@vmeng.com From: Fearghas McKay <fm@st-kilda.org> Subject: [Mac_crypto] "Security Update 2002-08-02 for OpenSSL, Sun RPC, mod_ssl" does not verify Sender: mac_crypto-admin@vmeng.com Date: Sat, 3 Aug 2002 08:38:50 +0100
**A verification of this security announcement mail fails**
The key is signed by Vinnie Moscaritolo - vinnie@vmeng.com which is a good thing even if Vinnie is no longer at Apple ( which is a bad thing ), it is also signed by someone who does not appear on any of the public keyservers that I can find which is a bit disappointing.
Verified version is at the bottom.
f
--- begin forwarded text
-- Vinnie Moscaritolo ITCB-IMSH PGP: 3F903472C3AF622D5D918D9BD8B100090B3EF042 -------------------------------------------------------
participants (2)
-
R. A. Hettinga
-
Vinnie Moscaritolo